heckyel/mediagoblin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
mediagoblin/mediagoblin/tests/test_csrf_middleware.py
Christopher Allan Webber 5c2ece7401 Switch test_app generation over to use py.test fixtures. 
By doing this, we can take advantage of py.test's ability to create
temporary directories that are then cleaned up later during testing.
This helps for sandboxing things.

This also involves a ton of changes:
 - Changing the get_app stuff appropriately, getting rid of the
   setup_fresh_app decorator
 - Making said fixture
 - Switching over a billion tests to use it
2013-04-04 19:23:04 -05:00

87 lines
3.5 KiB
Python
Raw Blame History

# GNU MediaGoblin -- federated, autonomous media hosting
# Copyright (C) 2011, 2012 MediaGoblin contributors. See AUTHORS.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from mediagoblin import mg_globals
def test_csrf_cookie_set(test_app):
cookie_name = mg_globals.app_config['csrf_cookie_name']
# get login page
response = test_app.get('/auth/login/')
# assert that the mediagoblin nonce cookie has been set
assert 'Set-Cookie' in response.headers
assert cookie_name in response.cookies_set
# assert that we're also sending a vary header
assert response.headers.get('Vary', False) == 'Cookie'
# We need a fresh app for this test on webtest < 1.3.6.
# We do not understand why, but it fixes the tests.
# If we require webtest >= 1.3.6, we can switch to a non fresh app here.
#
# ... this comment might be irrelevant post-pytest-fixtures, but I'm not
# removing it yet in case we move to module-level tests :)
# -- cwebber
def test_csrf_token_must_match(test_app):
# construct a request with no cookie or form token
assert test_app.post('/auth/login/',
extra_environ={'gmg.verify_csrf': True},
expect_errors=True).status_int == 403
# construct a request with a cookie, but no form token
assert test_app.post('/auth/login/',
headers={'Cookie': str('%s=foo' %
mg_globals.app_config['csrf_cookie_name'])},
extra_environ={'gmg.verify_csrf': True},
expect_errors=True).status_int == 403
# if both the cookie and form token are provided, they must match
assert test_app.post('/auth/login/',
{'csrf_token': 'blarf'},
headers={'Cookie': str('%s=foo' %
mg_globals.app_config['csrf_cookie_name'])},
extra_environ={'gmg.verify_csrf': True},
expect_errors=True).\
status_int == 403
assert test_app.post('/auth/login/',
{'csrf_token': 'foo'},
headers={'Cookie': str('%s=foo' %
mg_globals.app_config['csrf_cookie_name'])},
extra_environ={'gmg.verify_csrf': True}).\
status_int == 200
def test_csrf_exempt(test_app):
# monkey with the views to decorate a known endpoint
import mediagoblin.auth.views
from mediagoblin.meddleware.csrf import csrf_exempt
mediagoblin.auth.views.login = csrf_exempt(
mediagoblin.auth.views.login
)
# construct a request with no cookie or form token
assert test_app.post('/auth/login/',
extra_environ={'gmg.verify_csrf': True},
expect_errors=False).status_int == 200
# restore the CSRF protection in case other tests expect it
mediagoblin.auth.views.login.csrf_enabled = True
Reference in New Issue View Git Blame Copy Permalink